Why Policies ≠ Capability

To have a Policy or not have a Policy isn't the question...The question is whether your organisation can actually act on it.

Organisations often mistake the existence of a policy for the existence of a capability. They are not the same thing!

A policy defines what should happen. Capability determines what actually happens when it matters. The gap between the two is where insider risk lives.

Most organisations have policies covering acceptable use, data handling, access management, and incident reporting. Those policies are real. They are documented, approved, and communicated. And yet incidents still occur within organisations that have all of them in place.

The reason is straightforward. Policies create expectations. They do not create detection, response, coordination, or judgement. They describe a standard of behaviour without building the organisational muscle to uphold it under pressure.

Capability requires something policies cannot provide: People who know what to do, structures that connect the right functions, tools that surface the right signals, and leadership that acts when something feels wrong before it becomes undeniable.

An organisation with a strong acceptable use policy but no mechanism for managers to raise early concerns has a document, not a defence.

An organisation with a data handling policy but no access hygiene has compliance language and open pathways.

An organisation with an incident response policy but no cross-functional triage has a plan that will not hold under pressure.

Policies tell people what the organisation expects. Capability tells the organisation what it can actually do.

The question is not whether a policy exists. The question is whether the organisation can act on it.